Received: with ECARTIS (v1.0.0; list xfs); Mon, 30 Jun 2008 23:16:31 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.3.0-r574664 (2007-09-11) on oss.sgi.com X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.0-r574664 Received: from larry.melbourne.sgi.com (larry.melbourne.sgi.com [134.14.52.130]) by oss.sgi.com (8.12.11.20060308/8.12.11/SuSE Linux 0.7) with SMTP id m616GQ94023741 for ; Mon, 30 Jun 2008 23:16:28 -0700 Received: from [134.14.55.78] (redback.melbourne.sgi.com [134.14.55.78]) by larry.melbourne.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id QAA20753; Tue, 1 Jul 2008 16:17:14 +1000 Message-ID: <4869CCE9.1020304@sgi.com> Date: Tue, 01 Jul 2008 16:21:29 +1000 From: Lachlan McIlroy Reply-To: lachlan@sgi.com User-Agent: Thunderbird 2.0.0.14 (X11/20080421) MIME-Version: 1.0 To: Christoph Hellwig CC: xfs-dev , xfs-oss Subject: Re: [PATCH] Fix use after free when closing log/rt devices References: <48647746.5010007@sgi.com> <20080627063219.GA25015@infradead.org> In-Reply-To: <20080627063219.GA25015@infradead.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/6021/Wed Feb 27 15:55:48 2008 on oss.sgi.com X-Virus-Status: Clean X-archive-position: 16667 X-ecartis-version: Ecartis v1.0.0 Sender: xfs-bounce@oss.sgi.com Errors-to: xfs-bounce@oss.sgi.com X-original-sender: lachlan@sgi.com Precedence: bulk X-list: xfs Christoph Hellwig wrote: > On Fri, Jun 27, 2008 at 03:14:46PM +1000, Lachlan McIlroy wrote: >> The call to xfs_free_buftarg() will free the memory used by it's argument >> so we need to save the bdev to pass to xfs_blkdev_put() >> >> Lachlan >> >> --- fs/xfs/linux-2.6/xfs_super.c_1.432 2008-06-27 14:51:17.000000000 +1000 >> +++ fs/xfs/linux-2.6/xfs_super.c 2008-06-27 14:59:26.000000000 +1000 >> @@ -781,13 +781,17 @@ STATIC void >> xfs_close_devices( >> struct xfs_mount *mp) >> { >> + struct block_device *bdev; >> + >> if (mp->m_logdev_targp && mp->m_logdev_targp != mp->m_ddev_targp) { >> + bdev = mp->m_logdev_targp->bt_bdev; >> xfs_free_buftarg(mp->m_logdev_targp); >> - xfs_blkdev_put(mp->m_logdev_targp->bt_bdev); >> + xfs_blkdev_put(bdev); >> } >> if (mp->m_rtdev_targp) { >> + bdev = mp->m_rtdev_targp->bt_bdev; >> xfs_free_buftarg(mp->m_rtdev_targp); >> - xfs_blkdev_put(mp->m_rtdev_targp->bt_bdev); >> + xfs_blkdev_put(bdev); >> } > > Looks good, alhough two local variables inside the ifs might be cleaner: > > if (mp->m_logdev_targp && mp->m_logdev_targp != mp->m_ddev_targp) { > struct block_device *logdev = mp->m_logdev_targp->bt_bdev; > > xfs_free_buftarg(mp->m_logdev_targp); > xfs_blkdev_put(logdev); > } > > ... > Thought someone might suggest that. I'll make the changes, thanks.